About Arachnys

Arachnys harnesses the world’s information to make the world a safer place. We are passionate about helping financial institutions revolutionize the way bad actors are thwarted -- to secure our collective futures. And everyone who works at Arachnys shares a common destination to deliver on that vision -- we strive to build superior Know Your Customer (KYC), Anti-Money Laundering (AML) and Enhanced Due Diligence (EDD) solutions, and a great company that does good in the world.

The new CDD rules have resulted in a requirement to collect information at the 25% UBO/ownership threshold: the regulators had to make a determination, and chose 25% because it has become an international standard.

BSA officer/AML/CFT are more than cost containment centers: they must help to protect financial integrity of the bank and the US financial system.

Investigators should be able to impact a risk score. Annual reviews allow you to learn a lot more than what a model based or tool based approach can do.

Regulators expect evolution at the same pace as the data and technology. The partnership between first and second line plays a critical role.

Panelists stressed the importance of collecting qualitative but also quantitative data.

The first line (relationships managers) do not currently understand they own the risk.

There is a real burden on vendors for technology to address these new requirements

Keep a healthy dose of skepticism towards AI and ML. It is smarter to talk about intelligence augmentation at the moment.Regulators are starting to look at the algorithms, but they are still struggling to test it properly. They set a standard of red flags to be caught and then question the output. Model validation guidelines have not yet caught up to the algorithms.

The key topic was the introduction of the DoT CDD regulations under the Bank Secrecy Act, which need to be implemented by May 2018. FIs should have made sure they are on track to implement it, and keep time aside for testing before the rules go live!! The majority of banks have begun implementation, but the project is still ongoing.

The CDD rules have 4 components. New provisions are centered on the UBO piece of legal entity identifiable customers, leading to a risk-based CDD programme.

The rule should be a floor, not a ceiling. The regulators are "laser focused" on risk-based examinations. It will force improved customer risk profiles.

All regulators on the panel identified the following problems:

Customer risk rating methodologies that do not facilitate reasonable understanding of the customer’s AML risk.

Situations where the risk rating did not lead to greater scrutiny.

Some CDD Processes had been poorly documented or delayed.

FINCEN notes that within the Beneficial Ownership section, FIs are approaching these CDD rules in different ways. Any of these approaches could be effective, but inconsistency will become a problem.

Customer onboarding methodologies are still inconsistent with customer risk. The methodologies need to keep up. Client risk ratings methodologies are still being used as check box - not ok anymore. That info needs to complement anything else you do.

The Office of the Superintendent of Financial Institutions (OSFI):

The Office of the Superintendent of Financial Institutions (OSFI) have addressed the problems in the development and application of methodologies. Banks lack a good rationale for client risk ratings.

There is a lack of consistency in decentralised FIs. Some institutions are only developing 3 lines of defense, and in many FIs the 2nd line of defense is still at different stages of maturity. A stronger second line would enable banks to be proactive in their assessment of risk, and manage risk proactively rather than waiting for the third line to come in.

Differences between Canada and US regulation:

Ongoing monitoring in Canada does not envision a trigger event for lower risk customers

The standard for checking UBOs is higher than US. You need to obtain as well as confirm - the latter is difficult because of lack of corporate registries and obtaining information in Canada.

FINRA on data integrity: lots of FIs are using systems that were built 10 years ago but the data requirements have changed and systems are not always updated. With multiple regulators, FIs have multiple expectations, but so do examiners.

There is a requirement to collect information at the 25% UBO/ownership threshold: the regulators had to make a determination, and chose 25% because it has become an international standard.

BSA officer/AML/CFT are more than cost containment centers: they must help to protect financial integrity of the bank and the US financial system.

Most FIs have a model tool process which are very subjective, making the controls even more important. FIs even have a panel of experts to make sure sound judgments are applied. Not one size fits all. Controls must be documented clearly.

A CRR is not:

the same as the BSA / AML risk assessment

A one size fits all approach to segmenting customers by risk level

The same across all institutions

Disconnected from the overall risk framework

A CRR is:

A regulatory expectation

A mechanism for segmenting the customer base to inform risk-based CDD

A tool to support relationship acceptance and risk mitigation strategies

Consistently applied across the enterprise

Commensurate with FI’s risk profile.

Collaboration between 1st and second line of defense is imperative. Most lines of business (LOBs) don't know their high risk customers (HRCs). Establish an integrated conversation with your first lines of defense.

Common challenges:

Model management (the governance of the model is so important because it's so judgmental)

Potentially high costs of managing CRR (because of high false positives)

Evolving regulatory guidance

Timing of running a customer screening.

While HRCs are reviewed yearly, one should also have trigger events that require a review in the midst of the review cycle. During the transaction monitoring process, you find suspicious activities and bad actors, and the more effective you are the more comfort you have in your CRR program.

Regulators expect evolution at the same pace as the data and technology. The partnership between first and second line plays a critical role.

Leverage the output of your CRR to inform your first line to make better decisions early. Tight integration between the modelling and investigative teams is important.

The first line (relationships managers) do not currently understand they own the risk.

A risk appetite statement should be a living document - it should be iron-clad document that articulates clearly what the risks are, what they apply to and who owns the risk. It's important to create uniformity to understand risk acceptance. This does not mean that the document should not be adapted with regulatory changes but It cannot be subject to interpretation.

Panelists suggested establishing a governance framework in place. Recommended members would be from your legal, compliance, operations, financial crime teams. On a monthly or quarterly basis this governance framework should review the stats of all work done within AML: review the number of closed alerts, and the number of HRCs escalated.

A governance framework would allow you to mitigate the risk and keep the pulse of the entire organisation. How many ‘aged’ alerts are there?

Panelists urge FIs to have a governance framework that monitors those trends with different stakeholders: they can help identify underlying issues or whether the scenarios aren’t tuned correctly.

Compliance operations and senior leadership from LOBs need to have a seat at the risk governance framework table. Audit is often not involved - they have to be, since they see control failures andgaps. First line of defense looks at revenue streams, but they need to be included in enterprise-wide risk assessment.

Panelists stressed the importance of collecting qualitative but also quantitative data.

Further to that documentation needs to be clear and auditable. On qualitative data: it's hard to tell how an algorithm comes up with a decision. Machines can learn but they asses data differently than humans. It’s hard to explain this to regulators.

Having good procedures is great but adherence is more challenging to achieve. Decisions need to be documented.

For effective CDD, compliance professionals need to take into consideration two prongs:

Ownership prong: Each individual who directly or indirectly owns 25% or more of the equity interests of a legal entity customer.

Control prong: a single individual with significant responsibility to control, manage, or direct a legal entity customer including an executive officer or senior manager e.g CEO, CFO or any other individual who performs similar function.

No bank chooses the 25% threshold without analysis; each bank needs to look at its HRCs, its products & services. You need to trust your customer risk scoring system to effectively triage the alerts, with risk-based determination.

How should banks manage the data collected?

The data ‘flow’ is an important factor in data management for FIs. Where does it come in? Where does it need to go? How do we monitor it? Where does it get scored?

Do you need to do a refresh, or can you reuse a grandfathered piece of information? Do you need to redo the check entirely or can you reuse info received in the past as long as the customer confirms its still accurate? Document, document, document. Collaborate with your AML officer, go through the most difficult possible scenarios ahead of the CDD rule deadlines.

There is a real burden on vendors for technology to address these new requirements

FIs need to have a plan B if vendors are not ready to address new regulations. The new rules state you don’t have to follow the 25% rule for an existing account unless there is a trigger event. You need to have a discussion about what triggers these events, and be careful which of the triggers you list. Making a SAR a trigger event, for example, could overwhelm the process.

There is increasing pressure from managers to disposition alerts, rather than throwing bodies at them. The industry is now moving towards virtual robotics & process automation that will change the white collar workforce. The impact of this will be huge, automating the investigation management and data retrieval process.

Anti financial crime framework is facing threats. Budgets are increasing but fines are also increasing, creating more and more pressure for FIs.

Here are some relevant findings from a recent study by McKenzie:

80% of time is spent on issues of low or moderate material risk, with only 20% spent on high risk issues.

No integratedview across enterprise.

There is little consistent understanding of material risks due to different standards and different teams.

Senior management are not in position to obtain reliable view of compliance risks or controls.

Machine-learning and AI will be the most important general purpose technology of our era. Perception and cognition will be the areas of greatest advance, indicated by recent improvements in voice and image recognition. In the end, AI is based on machine-learning. Machine learning is based on analytics. Analytics is based on data infrastructure.

False positive reduction is possible with 3 approaches:

Combining external with internal data

Segmentation - taking huge datasets and finding out what the right clusters and segments are. (looking at customers , accounts and transactions)

Hard coded rules will fail, they need to be adaptive.

BSA/ AML Domain: AI and ML has opportunities to be used in monitoring/screening, as well as management of false positives, alert dispositioning and risk assessment. These areas are amenable to AI / ML Techniques. However, the transition to AI and ML should be managed carefully to ensure transparency and regulatory buy-in. FIs are also investing in RPA.

People are automating assessment of negative news, using algorithms to help make decisions. To make this work, it is imperative to break down the decision points.

In several areas, the application of this technology has been less than successful:

Automating decisions on sanctions alerts and applying those decisions to risk scoring. There is not enough training data in that domain for it to work.

Pitfalls of automation - Google or another vendor may block you. Protocols are not in place to warn of bots which block data retrieval.

Keep a healthy dose of skepticism towards AI and ML. It is smarter to talk about intelligence augmentation at the moment. Regulators are starting to look at the algorithms, but they are still struggling to test it properly. They set a standard of red flags to be caught and then question the output. Model validation guidelines have not yet caught up to the algorithms.